Bug 1578872
| Summary: | SELinux is preventing dovecot from using the 'dac_override' capabilities. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | John Griffiths <fedora.jrg01> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 28 | CC: | alanh, bennie.joubert, crash70, dan, david.m.highley, dwalsh, goeran, janfrode, lvrabec, matt, mgrepl, mhlavink, mmalik, plautrba, pmoore, pokorra.mailinglists, predatorscan, rasibley, samuel-rhbugs |
| Target Milestone: | --- | Flags: | alanh:
needinfo-
|
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | abrt_hash:629dea9ed6dfe2c3adc5a318ce757a705af026b3c8c6b36b023f84be57daba25; | ||
| Fixed In Version: | selinux-policy-3.14.1-36.fc28 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-07-29 03:22:44 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Description of problem: systemctl restart dovecot SELinux is preventing dovecot from starting due to various dac_override. Thanks Version-Release number of selected component: selinux-policy-3.14.1-24.fc28.noarch Additional info: reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.16.8-300.fc28.x86_64 type: libreport What info is needed? # rpm -qa selinux-policy\* dovecot\* | sort
dovecot-2.2.35-2.fc28.x86_64
selinux-policy-3.14.1-24.fc28.noarch
selinux-policy-devel-3.14.1-24.fc28.noarch
selinux-policy-targeted-3.14.1-24.fc28.noarch
# ausearch -m avc -m user_avc -i
----
type=PROCTITLE msg=audit(05/23/2018 04:01:35.073:423) : proctitle=/usr/sbin/dovecot
type=PATH msg=audit(05/23/2018 04:01:35.073:423) : item=0 name=/var/lib/dovecot/instances.lock nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(05/23/2018 04:01:35.073:423) : cwd=/run/dovecot
type=SYSCALL msg=audit(05/23/2018 04:01:35.073:423) : arch=x86_64 syscall=lstat success=no exit=EACCES(Permission denied) a0=0x5628c3733f38 a1=0x7ffc44bb6950 a2=0x7ffc44bb6950 a3=0x23d8d86000000 items=1 ppid=1 pid=18673 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dovecot exe=/usr/sbin/dovecot subj=system_u:system_r:dovecot_t:s0 key=(null)
type=AVC msg=audit(05/23/2018 04:01:35.073:423) : avc: denied { dac_override } for pid=18673 comm=dovecot capability=dac_override scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=capability permissive=0
----
# ls -ld /var/lib/dovecot/ drwxr-x---. 2 dovecot dovecot 4096 May 23 04:01 /var/lib/dovecot/ # ls -ld /var/lib/dovecot/ssl-parameters.dat -rw-r--r--. 1 root root 230 May 23 04:01 /var/lib/dovecot/ssl-parameters.dat # ls -l /var/lib/dovecot/ total 4 -rw-r--r--. 1 root root 230 May 23 04:01 ssl-parameters.dat # I ran it with path auditing enabled and got time->Sun May 27 12:34:17 2018 type=PROCTITLE msg=audit(1527449657.919:196): proctitle="/usr/sbin/dovecot" type=PATH msg=audit(1527449657.919:196): item=0 name="/var/run/dovecot/login/ipc-proxy" inode=103912 dev=00:16 mode=0140600 ouid=992 ogid=0 rdev=00:00 obj=system_u:object_r:dovecot_var_run_t:s0 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 The issue is that processes lacking the dac_override SELinux permission have file permissions (rwx) enforced against them, even when running as root. # ls -l /var/run/dovecot/login/ipc-proxy srw-------. 1 dovenull root 0 May 27 12:34 /var/run/dovecot/login/ipc-proxy A dovecot process running as root is expecting to be able to access this file, but that isn't true any more. The file (and some others created for user dovenull) should probably be created with permissions 660 rather than 600. Moving to dovecot.
Issue is more on dovecot side thant in SELinux side.
From following syscall we can see that dovecot runs as root:root:
type=SYSCALL msg=audit(05/23/2018 04:01:35.073:423) : arch=x86_64 syscall=lstat success=no exit=EACCES(Permission denied) a0=0x5628c3733f38 a1=0x7ffc44bb6950 a2=0x7ffc44bb6950 a3=0x23d8d86000000 items=1 ppid=1 pid=18673 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dovecot exe=/usr/sbin/dovecot subj=system_u:system_r:dovecot_t:s0 key=(null)
type=AVC msg=audit(05/23/2018 04:01:35.073:423) : avc: denied { dac_override } for pid=18673 comm=dovecot capability=dac_override scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=capability permissive=0
nad trying to access file:
drwxr-x---. 2 dovecot dovecot 4096 May 23 04:01 /var/lib/dovecot/
There are no permissions for others. In DAC could root access all objects on system, but not in MAC.
Please fix permissions on /var/lib/dovecot.
*** Bug 1582729 has been marked as a duplicate of this bug. *** *** Bug 1560704 has been marked as a duplicate of this bug. *** TLDR; dovecot needs dac_override capability I've checked this and found out that the ownership and permissions as specified in the spec file are correct. If I change it to what was suggested, dovecot will complain and change it back. While it seems that this one (first) selinux denial message could be (maybe,theoretically) fixed, it will fail for other paths. Dovecot splits in a quite a few services (worker processes) and it's not possible to set the permissions and ownerships easily without creating a mess with many artificial ones and thats a no go. Dovecot itself is aware about this capability and that it requires it, see CapabilityBoundingSet at https://bit.ly/2sR2B3Y (this was later removed, as it broke some plugins that require even more) selinux-policy-3.14.1-36.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. Hi all,
>Turn on full auditing
># auditctl -w /etc/shadow -p w
I cannot find this file in Android. How do I turn on fill auditing in Android.
Hi all,
>Turn on full auditing
># auditctl -w /etc/shadow -p w
I cannot find this file in Android. How do I turn on fill auditing in Android.
(In reply to Ali from comment #15) > I cannot find this file in Android. How do I turn on fill auditing in > Android. This is the bug tracker for the Fedora and Red Hat Linux distributions. Android issues are over at https://issuetracker.google.com/ |
Description of problem: Trying to start dovecot which uses the postfix authorization. SELinux is preventing dovecot from using the 'dac_override' capabilities. ***** Plugin dac_override (91.4 confidence) suggests ********************** If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system Then turn on full auditing to get path information about the offending file and generate the error again. Do Turn on full auditing # auditctl -w /etc/shadow -p w Try to recreate AVC. Then execute # ausearch -m avc -ts recent If you see PATH record check ownership/permissions on file, and fix it, otherwise report as a bugzilla. ***** Plugin catchall (9.59 confidence) suggests ************************** If you believe that dovecot should have the dac_override capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'dovecot' --raw | audit2allow -M my-dovecot # semodule -X 300 -i my-dovecot.pp Additional Information: Source Context system_u:system_r:dovecot_t:s0 Target Context system_u:system_r:dovecot_t:s0 Target Objects Unknown [ capability ] Source dovecot Source Path dovecot Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.1-24.fc28.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.16.8-300.fc28.x86_64 #1 SMP Wed May 9 20:23:40 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-05-16 10:15:41 EDT Last Seen 2018-05-16 10:15:41 EDT Local ID f720295c-da38-400c-a2db-9402d2869a53 Raw Audit Messages type=AVC msg=audit(1526480141.321:6579): avc: denied { dac_override } for pid=19839 comm="dovecot" capability=1 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=capability permissive=0 Hash: dovecot,dovecot_t,dovecot_t,capability,dac_override Version-Release number of selected component: selinux-policy-3.14.1-24.fc28.noarch Additional info: component: selinux-policy reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.16.8-300.fc28.x86_64 type: libreport